✘"\x07ntske/1"
Gary E. Miller
gem at rellim.com
Wed Jul 24 19:29:14 UTC 2019
Yo Hal/Daniel!
Does this look to you two like the fix to the Hackathon issues?
On Wed, 24 Jul 2019 21:19:59 +0200
Achim Gratz via devel <devel at ntpsec.org> wrote:
> Achim Gratz via devel writes:
> > The disagreement probably was about how the server code compares the
> > strings. The API description is pretty clear on that the "in"
> > parameter is just the char array of "inlen" characters (the counted
> > string is already split), so indeed the code (which Hal changed
> > from what Christer had originally committed seems wrong.
>
> I misread that description, out/outlen is a single protocol and
> in/ionlen is a protos list. :-P
>
> Anyway, this or something very close to it should implement the
> required matching algorithm:
>
> --8<---------------cut here---------------start------------->8---
> Subject: [PATCH] ntpd/nts_server.c: ALPN protocol matching
>
> ---
> ntpd/nts_server.c | 34 +++++++++++++++++-----------------
> 1 file changed, 17 insertions(+), 17 deletions(-)
>
> diff --git a/ntpd/nts_server.c b/ntpd/nts_server.c
> index 20ea8a02b..00570771c 100644
> --- a/ntpd/nts_server.c
> +++ b/ntpd/nts_server.c
> @@ -56,29 +56,29 @@ static int alpn_select_cb(SSL *ssl,
> void *arg)
> {
> static const unsigned char alpn[] = { 7, 'n', 't', 's', 'k', 'e',
> '/', '1' };
> - unsigned i, len;
> + unsigned i, j, initemlen, alpnitemlen;
>
> UNUSED_ARG(ssl);
> UNUSED_ARG(arg);
>
> - for (i = 0; i < inlen; i += len) {
> - len = in[i]+1; /* includes length byte */
> -#if 0
> - char foo[256];
> - strlcpy(foo, (const char*)in+i+1, len);
> - msyslog(LOG_DEBUG, "DEBUG: alpn_select_cb: %u, %u, %s",
> inlen-i, len, foo); -#endif
> - if (len > inlen-i)
> - /* bogus arg: length overlaps end of in buffer */
> - return SSL_TLSEXT_ERR_ALERT_FATAL;
> - if (len == sizeof(alpn) && !memcmp(in+i, alpn, len)) {
> - *out = in+i;
> - *outlen = len;
> - return SSL_TLSEXT_ERR_OK;
> + /* iterate over input protos list */
> + for (i = 0; i < inlen; i += initemlen) {
> + initemlen = in[i++]; /* consume length byte */
> + /* iterate over server protos list */
> + for (j = 0; j < sizeof(alpn); j += alpnitemlen) {
> + alpnitemlen = alpn[j++]; /* consume length byte */
> + if (initemlen == alpnitemlen
> + && !memcmp(in+i, alpn+j, initemlen)) {
> + *out = in+i;
> + *outlen = initemlen;
> + return SSL_TLSEXT_ERR_OK;
> + }
> + /* check next entry in alpn */
> }
> + /* check next entry in in */
> }
> -
> - return SSL_TLSEXT_ERR_NOACK;
> + /* input and server protos list have no common entry */
> + return SSL_TLSEXT_ERR_ALERT_FATAL;
> }
> #endif
>
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190724/3bafd987/attachment.bin>
More information about the devel
mailing list